Mobile Security Gateways (SE-GW)

10/12/2017

Overview

Mobile
Network Operators (MNOs) continue to build out high bandwidth coverage in urban
areas by offloading saturated macro cells on to broader scale small cell deployments.
Bound to satisfy unrelenting consumer demand for higher bandwidth connectivity
in densely populated areas, many MNOs are investing heavily in major capacity
upgrades with LTE mini
eNodeB and public access femtocell rollouts on the rise.

In fact a recent IHS Markit report estimated that the global small cell market, including indoor and outdoor small cells, grew 26 percent year-over-year in 2016, to $1.5 billion. Small cell indoor unit shipments outstripped outdoor shipments in 2016, with much operator focus on enterprise and public venue deployments to support consistent indoor voice and data performance. IHS forecast the global small cell market to continue to grow at a compound annual growth rate (CAGR) of 8.4% from 2016 to 2021, to reach $2.2B (1).

Challenges

At the same time MNOs are seriously challenged by new security risks that can adversely affect their network infrastructure, causing potential denials of service or compromising user data. As such, base station security is critical; authentication processes, user identity and data flows need to be meticulously protected from hackers trying to gain access, intercept data or compromise services.

The SeGW based on The FWA-5020 is deployed at the network edge and has a capacity of up to 40 Gbps of full duplex throughput even with high volumes of small packets. It perform authentication, encryption, and authorization of every data packet before it can pass through the evolved packet core (EPC) and into the core network. The gateway supports up to 1 million concurrent IPsec tunnels or 2 million IPSEC Security Associations and 5,000 tunnels per second. From a performance perspective it is capable of 100 Gbps IPSec throughput for 128 byte packets and 110 Gbps for 256 byte packets.

Solution

SolutionTo provide comprehensive protective measures, 3GPP has carefully defined the security mechanisms that must be implemented by security gateways (SeGW) in 3G and 4G networks. Instead of locating gateways in the network core itself and then backhauling the data to the gateway for processing, data is secured as it hits the network by placing gateways at the very edge, accepting only authorized traffic onto the core network and then encrypting it using strong algorithms such as IPsec.

But mobile networks also need to provision for millions of subscribers and associations, handling thousands of IPSec tunnels per second. This requires a solution that brings together all the aspects of performance, throughput, and scalability that an MNO will need integrated in to a cost effective and viable package.

Casa Systems partnered with Intel and Intel Network Builders members Advantech and Wind River to develop a complete, deployable gateway solution, at the core of which is a high performance network appliance from Advantech. The FWA-5020 is a 1U rackmount server optimized for networking applications that features either one or two Intel Xeon Processor E5-2600 v4 with up to 22 cores each thanks to an advanced thermal system design that supports processor wattage of up to 145W. The system architecture of the FWA-5020 puts an emphasis on compute performance, data plane throughput, and encryption throughput.

The FWA-5020 is a 1U rackmount appliance optimized for networking applications that features either one or two Intel® Xeon® E5-2600 v4 processors. The appliance can be configured with 12- to 22-core CPUs thanks to advanced thermal system design that supports processor wattage of up to 145W.

The system architecture of the FWA-5020 puts an emphasis on compute performance, data plane throughput and encryption throughput. Some of the optimizations include larger on-chip cache memories and Intel QuickPath Interconnects, running at up to 9.6GT/s for reduced cross-socket memory I/O latencies and increased throughput.

Memory support for each socket includes 4 DDR4 channels with speeds up to 2400 MHz for up to 512GB of error correcting code (ECC) memory. To provide failover capability, the server features advanced reliability, availability, and serviceability (RAS) modes such as mirroring and sparing to increase platform reliability.

The enhanced system architecture with two PCIe Gen3 x8 slots per CPU for density-optimized network mezzanine cards (NMC) and one PCIe Gen 3 x16 slot per CPU for dual QuickAssist DH8955 adapters, provides an efficient platform for maximum packet and crypto throughput in a reduced 1RU footprint. For management, the server has two built in 1000Base-T ports, 2 USB ports and a console port with advanced LAN bypass and two 10GbE SFP+ ports. These built-in options can be augmented by the four front-loaded NMC slots that provide the ability to add additional modules.